CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14599 vulnerabilities reference this CWE, most recent first.
GHSA-HP8V-M2MF-6FFV
Vulnerability from github – Published: 2025-04-09 18:30 – Updated: 2026-04-01 18:34Missing Authorization vulnerability in rtakao Sandwich Adsense allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sandwich Adsense: from n/a through 4.0.2.
{
"affected": [],
"aliases": [
"CVE-2025-31042"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-09T17:15:36Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in rtakao Sandwich Adsense allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sandwich Adsense: from n/a through 4.0.2.",
"id": "GHSA-hp8v-m2mf-6ffv",
"modified": "2026-04-01T18:34:34Z",
"published": "2025-04-09T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31042"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/firsth3tagadsense/vulnerability/wordpress-sandwich-adsense-4-0-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HP93-7VPR-RJWQ
Vulnerability from github – Published: 2025-04-16 15:34 – Updated: 2026-04-01 18:34Missing Authorization vulnerability in WC Product Table WooCommerce Product Table Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Product Table Lite: from n/a through 3.9.5.
{
"affected": [],
"aliases": [
"CVE-2025-39602"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-16T13:15:52Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WC Product Table WooCommerce Product Table Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Product Table Lite: from n/a through 3.9.5.",
"id": "GHSA-hp93-7vpr-rjwq",
"modified": "2026-04-01T18:34:45Z",
"published": "2025-04-16T15:34:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39602"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/wc-product-table-lite/vulnerability/wordpress-woocommerce-product-table-lite-plugin-3-9-5-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HPCP-J63F-VVMQ
Vulnerability from github – Published: 2026-05-26 13:30 – Updated: 2026-05-26 13:30Missing Authorization vulnerability in TeconceTheme Mayosis Core allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Mayosis Core: from n/a through 5.4.7.
{
"affected": [],
"aliases": [
"CVE-2026-39655"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-26T08:16:20Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in TeconceTheme Mayosis Core allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects Mayosis Core: from n/a through 5.4.7.",
"id": "GHSA-hpcp-j63f-vvmq",
"modified": "2026-05-26T13:30:54Z",
"published": "2026-05-26T13:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39655"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/mayosis-core/vulnerability/wordpress-mayosis-core-plugin-5-4-7-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HPCW-9W82-7FR9
Vulnerability from github – Published: 2024-06-11 18:30 – Updated: 2024-06-11 18:30Missing Authorization vulnerability in SoftLab Radio Player.This issue affects Radio Player: from n/a through 2.0.73.
{
"affected": [],
"aliases": [
"CVE-2024-34753"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T16:15:27Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in SoftLab Radio Player.This issue affects Radio Player: from n/a through 2.0.73.",
"id": "GHSA-hpcw-9w82-7fr9",
"modified": "2024-06-11T18:30:45Z",
"published": "2024-06-11T18:30:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34753"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/radio-player/wordpress-radio-player-plugin-2-0-73-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HPF4-4CCJ-785M
Vulnerability from github – Published: 2026-06-25 15:31 – Updated: 2026-06-25 15:32Unauthenticated Broken Access Control in MainWP Child <= 6.1.1 versions.
{
"affected": [],
"aliases": [
"CVE-2026-27366"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T14:16:36Z",
"severity": "HIGH"
},
"details": "Unauthenticated Broken Access Control in MainWP Child \u003c= 6.1.1 versions.",
"id": "GHSA-hpf4-4ccj-785m",
"modified": "2026-06-25T15:32:00Z",
"published": "2026-06-25T15:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27366"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/mainwp-child/vulnerability/wordpress-mainwp-child-plugin-6-1-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HPGW-XQPP-W964
Vulnerability from github – Published: 2024-11-01 15:32 – Updated: 2026-04-01 18:32Missing Authorization vulnerability in WPVibes Elementor Addon Elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Addon Elements: from n/a through 1.13.6.
{
"affected": [],
"aliases": [
"CVE-2024-47361"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-01T15:15:55Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WPVibes Elementor Addon Elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Addon Elements: from n/a through 1.13.6.",
"id": "GHSA-hpgw-xqpp-w964",
"modified": "2026-04-01T18:32:17Z",
"published": "2024-11-01T15:32:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47361"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/addon-elements-for-elementor-page-builder/vulnerability/wordpress-elementor-addon-elements-plugin-1-13-6-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/addon-elements-for-elementor-page-builder/wordpress-elementor-addon-elements-plugin-1-13-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HPH3-HV3C-7725
Vulnerability from github – Published: 2023-01-10 22:28 – Updated: 2023-01-10 22:28If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status.
This includes users that don't have a validated email.
Guests cannot successfully create a reply because the API will fail with a 500 error when the user ID 0 is inserted into the database. This should also be fixed to return the expected 401/403 status.
This happens because when the first post of a discussion is permanently deleted, the first_post_id attribute of the discussion becomes null which causes access control to be skipped for all new replies.
Flarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that discussions.comment_count is still above zero after the post deletion.
Impact
This can open the discussion to uncontrolled spam or just unintentional replies if users still had their tab open before the vulnerable discussion was locked and then post a reply when they shouldn't be able to.
In combination with the email notification settings, this could also be used as a way to send unsolicited emails.
Versions between v1.3.0 and v1.6.3 are impacted.
Patches
The vulnerability has been fixed and published as flarum/core v1.6.3. All communities running Flarum should upgrade as soon as possible to v1.6.3 using:
composer update --prefer-dist --no-dev -a -W
You can then confirm you run the latest version using:
composer show flarum/core
Workarounds
If you don't delete the first posts you are not affected. A workaround can be to delete the discussion itself, or amend the database to manually set a first_post_id.
For more information
For any questions or comments on this vulnerability please visit https://discuss.flarum.org/
For support questions create a discussion at https://discuss.flarum.org/t/support.
A reminder that if you ever become aware of a security issue in Flarum, please report it to us privately by emailing security@flarum.org, and we will address it promptly.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "flarum/core"
},
"ranges": [
{
"events": [
{
"introduced": "1.3.0"
},
{
"fixed": "1.6.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-22489"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-10T22:28:19Z",
"nvd_published_at": "2023-01-13T19:15:00Z",
"severity": "LOW"
},
"details": "If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status.\n\nThis includes users that don\u0027t have a validated email.\n\nGuests cannot successfully create a reply because the API will fail with a 500 error when the user ID 0 is inserted into the database. This should also be fixed to return the expected 401/403 status.\n\nThis happens because when the first post of a discussion is permanently deleted, the `first_post_id` attribute of the discussion becomes `null` which causes access control to be skipped for all new replies.\n\nFlarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that `discussions.comment_count` is still above zero after the post deletion.\n\n### Impact\nThis can open the discussion to uncontrolled spam or just unintentional replies if users still had their tab open before the vulnerable discussion was locked and then post a reply when they shouldn\u0027t be able to.\n\nIn combination with the email notification settings, this could also be used as a way to send unsolicited emails.\n\nVersions between `v1.3.0` and `v1.6.3` are impacted.\n\n### Patches\nThe vulnerability has been fixed and published as flarum/core v1.6.3. All communities running Flarum should upgrade as soon as possible to v1.6.3 using:\n\n```\ncomposer update --prefer-dist --no-dev -a -W\n```\nYou can then confirm you run the latest version using:\n\n```\ncomposer show flarum/core\n```\n\n### Workarounds\nIf you don\u0027t delete the first posts you are not affected. A workaround can be to delete the discussion itself, or amend the database to manually set a `first_post_id`.\n\n### For more information\nFor any questions or comments on this vulnerability please visit https://discuss.flarum.org/\n\nFor support questions create a discussion at https://discuss.flarum.org/t/support.\n\nA reminder that if you ever become aware of a security issue in Flarum, please report it to us privately by emailing [security@flarum.org](mailto:security@flarum.org), and we will address it promptly.\n",
"id": "GHSA-hph3-hv3c-7725",
"modified": "2023-01-10T22:28:19Z",
"published": "2023-01-10T22:28:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/flarum/framework/security/advisories/GHSA-hph3-hv3c-7725"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22489"
},
{
"type": "WEB",
"url": "https://github.com/flarum/framework/commit/12f14112a0ecd1484d97330b82beb2a145919015"
},
{
"type": "PACKAGE",
"url": "https://github.com/flarum/framework"
},
{
"type": "WEB",
"url": "https://github.com/flarum/framework/releases/tag/v1.6.3"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Any Flarum user including unactivated can reply in public discussions whose first post was permanently deleted"
}
GHSA-HPHG-Q3XV-RQHP
Vulnerability from github – Published: 2025-05-07 15:31 – Updated: 2026-04-01 18:35Missing Authorization vulnerability in flowdee ClickWhale allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ClickWhale: from n/a through 2.4.6.
{
"affected": [],
"aliases": [
"CVE-2025-47612"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-07T15:16:14Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in flowdee ClickWhale allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ClickWhale: from n/a through 2.4.6.",
"id": "GHSA-hphg-q3xv-rqhp",
"modified": "2026-04-01T18:35:03Z",
"published": "2025-05-07T15:31:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47612"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/clickwhale/vulnerability/wordpress-clickwhale-2-4-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-HPHM-9VP4-H223
Vulnerability from github – Published: 2026-04-03 21:31 – Updated: 2026-04-03 21:31prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with private prompts. Attackers can exploit these missing authorization checks to retrieve private prompt version history, change requests, examples, current content, and metadata including titles and descriptions exposed via HTML meta tags.
{
"affected": [],
"aliases": [
"CVE-2026-22663"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-03T21:17:09Z",
"severity": "HIGH"
},
"details": "prompts.chat prior to commit 7b81836 contains multiple authorization bypass vulnerabilities due to missing isPrivate checks across API endpoints and page metadata generation that allow unauthorized users to access sensitive data associated with private prompts. Attackers can exploit these missing authorization checks to retrieve private prompt version history, change requests, examples, current content, and metadata including titles and descriptions exposed via HTML meta tags.",
"id": "GHSA-hphm-9vp4-h223",
"modified": "2026-04-03T21:31:42Z",
"published": "2026-04-03T21:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22663"
},
{
"type": "WEB",
"url": "https://github.com/f/prompts.chat/pull/1104"
},
{
"type": "WEB",
"url": "https://github.com/f/prompts.chat/commit/7b81836b214f2796aaf37ded2944eadc978afd35"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/prompts-chat-authorization-bypass-information-disclosure"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-HPJC-QVFV-8FG6
Vulnerability from github – Published: 2026-07-13 12:35 – Updated: 2026-07-13 12:35Missing Authorization vulnerability in ThemeMove EduMall edumall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduMall: from n/a through <= 4.5.1.
{
"affected": [],
"aliases": [
"CVE-2026-57797"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-13T10:16:43Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in ThemeMove EduMall edumall allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduMall: from n/a through \u003c= 4.5.1.",
"id": "GHSA-hpjc-qvfv-8fg6",
"modified": "2026-07-13T12:35:05Z",
"published": "2026-07-13T12:35:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-57797"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Theme/edumall/vulnerability/wordpress-edumall-theme-4-5-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.